Posted
by
Zonk
on Thursday May 25, 2006 @09:44AM
from the rfid-underground dept.

kjh1 writes "Wired is running an article on RFID hacking that has potentially scary implications. Many RFID tags have no encryption and will happily transmit their information in the clear if they are active or within range of a reader. Worse yet is that they can be overwritten. Some interesting scenarios and experiments: snagging the code off of a security badge and replaying it to gain access to a secure building; vandalizing library contents by wiping or changing tags on books; changing the prices of items in a grocery or other store; and getting free gas by tweaking the ExxonMobil SpeedPass tags."

I think it's common practice for most serious security badges to rely on RFID for part of the verification, but some sort of user input for the rest. I have a prox card at work (which, I assume, is an RFID-based card), but the card only activates a keypad. Without my PIN, it's useless.

In my experience, college dorm security is a joke. They tell you not to hold the door for anyone, but are you really going to slam it shut in the face of the guy who says he lost his keycard, and is hovering right outside the door? And there are people coming back at all times of the night. There are, however, locks on all of the room doors you should probably make good use of...Not that your general concern is entirely wrong, but this specific case isn't terribly strong. Better, maybe, is that a few of the

Similar but admittedly not dorms, our school is considering going major RFID cards with *every* door lock. Each card is keyed to a unique person, and they can have room access tailored accordingly. Staff and 6th Form students will have them. It will also be used to check out library books, have a 'top-up' system for buying lunch and snacks.Why not integrate RFID tags into college IDs? Each dorm can then be locked to all except those who are actually in that dorm, but the building is locked to far fewer peop

Yes, because nobody in a dorm would be able to hear someone screaming for help...

Dorm security is a joke because for the most part it's not necessary. The people who break into dorms aren't sexual predators, they're common thieves trying to make off with a laptop or two. Most of the time they have legitimate access to the dorm anyway so the front door security is useless to begin with. Lock your door when you go to bed or leave the room, that's all there is to it.

Someone who cops a feel is a little different than a sexual predator at least in my mind.

You also hear stories of college guys hiding out in the women's bathrooms to sneak a peek. That doesn't make them sexual predators either in my book.

On the other hand, the RFID systems implemented at colleges seems like a good method of detering pervets like these, at least until they overwrite a card with someone else's ID and get them in trouble.

Grabbers are considered sexual predators by the courts, in IL at least. And they should be. . . it strikes me jumping out of the bushes/hiding in showers to grab a woman against their will should be Not OK and is indicative of compulsion, not "kids will be kids".

I'm not saying it's OK behavior by any means, but it doesn't seem like something that should put the poor dumb 18 year old on a sex offender registry. It's certainly something the school should punish him for, but the last thing the kid needs is a felony conviction.

I happen to know the NW University sexual offender. And he's . . . sort of creepy. And when I say sort of creepy, I mean really fucking creepy and should probably have to be supervised around women.

He was complaining one night about the tests they make him take to determine rehabilitation and how they're rigged. He then went into how the questions were all subjective. Stuff like "when walking around at night do you look into people's windows" or soemsuch. They were really straightforward questions and he

Someone who cops a feel is a little different than a sexual predator at least in my mind.

Of course, the courts may think differently than you do.

We had a good example hereabouts (a suburb of Boston) a few years back, when there was a news story about a college student who'd had a few drinks on a Saturday night relieved himself in an alley. Unfortunately for him, he was spotted by a cop, arrested, charged with, and convicted of indecent exposure. It was pointed out in the news stories that now he'd have to register as a sex offender anywhere he ever lived again.

Among all the comments of the draconian nature of this, there were a few that pointed out another problem: To many of us who read the stories, the phrases "sex offender" and "sexual predator" now induce the thought "Probably another guy caught peeing in a dark alley."

Someone once observed that a problem with unjust laws is that they bring the entire legal system into disrespect. Some of the best examples are the extreme reactions to things like this.

Or, if you live in Maine, you might get murdered be some vigilante because you had sex with your 15 year old girlfriend when you were 16, (and therefore had to publically register as a sex offender.) This happened a few weeks back and was in the news, at least in the Boston area.

Security is not guaranteed, even if they were to secure the ID cards. Just by issuing them and requiring their use you already significantly reduce the issues. If a criminal of any type (sexual or whatever) was so determined to try to crack the RFID cards, having the encrypted will just force them to find another hole in the system... or circumvent the system entirely.You cannot guarantee anything. YOu can only reduce the probability of it happenings.. but as you approach very high tolerance, the costs g

My college has no keypad. You just swipe your card. That's a huge security risk. Imagine if some sexual predator got access to a dorm. That's scary!

The irony of this statement, in the case of my alma mater, is that they prox card system was implemented largely out of fear of sexual predators. There were a few incidents where an unidentified male, not a student, was found lurking in a women's bathroom/shower in one of the dorms. Previously, all of the dorms were left unlocked during daylight hours duri

I'm recollecting many, many instances where I got through a door swiping a key with no pin or other authentication based on what I know.

Ideall you authenticate on 2 out of these three:

1 - what you know2 - what you have3 - what you are (or aren't, depending).

Now that I think about it, most buildings I've been in that use RFID tags to open doors do not use anything but #2.

I found this gizmo at fidgets [phidgetsusa.com]just poking around on Google after reading TFA and feeling curious. That's the biggest one I found, the rest once stripped of their case would be very much like the scanner described in TFA.

Except the keypad is digital so the digits don't always show up in the same order. Thus if somebody shoulder surfing sees you input your code and remembers the pattern, he/she still won't know the correct PIN.

I'm not sure I'm understanding what you're saying. Of course the keypad is digital. My keyboard is digital. Pretty much anything except for a mechanical combination lock is going to be "digital." (Well, even that you can argue is 'digital,' in the non-computerized sense of the term.)

Are you saying that the keypad appears on a screen, with the numbers in a random order in the array? E.g., so that some person might get a keypad numbered [[6,2,9][5,4,7][8,1,3]] and the next person would get [[3,8,4][5,2,1][6,9,7]]?

Seems like a system like that, which requires a touch-screen instead of a regular el-cheapo numeric keypad, would be pretty expensive to implement. If you have a small number of chokepoints where you can put them, it might work, but if you're trying to secure all the exterior doors of a large number of buildings, I could see it getting prohibitively expensive fast.

I have seen a lot of places that use Prox-Cards as their only form of authentication for access control: for whatever reason, people seem to think they're "more secure" than swipe cards. They were actually implemented at a place that I worked a few years ago this way, and I argued against them because of the RFID interception risk, but I got shot down by the PHB's and the system vendors, who said this was 'totally impossible.' I was tempted to try and figure out how to intercept the transmission, but I never had the time to get started.

Are you saying that the keypad appears on a screen, with the numbers in a random order in the array? E.g., so that some person might get a keypad numbered [[6,2,9][5,4,7][8,1,3]] and the next person would get [[3,8,4][5,2,1][6,9,7]]?

That's how ours work here. Most of the time all our security keypads are dark. You use the RFID to light them up and randomize the number positions, then type in a 4-digit code.

In order to get in during off hours you must have MY badge and MY four digit code.

Why not just store *encrypted* data on it? My hard disk doesn't support encryption, but I can store encrypted files (even partitions) on it nonetheless.

I don't get this. The price difference between a computer system + RFID reader/writer and one that also supports encryption should be zero. I think ANY computer system nowadays is perfectly capable of encrypting data.

If all you did was store the key on the card in some encrypted form, and send that every time the card was swiped, you wouldn't have added any security.The way most (insecure) RFID systems work is like this.Reader: What is your key?Card: My key is 123456.Reader: (consults lookup table to see if that key is authorized)... (opens door).

Since the key is being transmitted in the clear, it's trivial for someone to snoop on the conversation and then repeat that key to the reader, and also open the door. This hap

In the latter case, the challenge-response key exchange ensures that even if someone is snooping on the entire transaction, they don't get anything of value. This would not be possible unless the card had enough logic to do the encryption on its own.

In theory anyway. IIRC, the weakness with the Mobil Speedpass was that with only a couple of challenges, the responses were captured and used to crack the private key. Not a big deal if all you can do with a cracked tag is buy some gas, but clearly not strong

It is the card (not the reader) that supports encryption ON THE CARD. I have a stack of contactless smart cards sitting here on my desk that do 3DES and RSA in the chip. These are much hard to crack than a dumb RFID tag.

Think of the reader as simply being a network connection between one computer (the card in this case) and another (your desktop or whatever it is that is letting you in the door).

If you broadcast a static encrypted signal, then all someone has to do is copy that static signal and they are good. Something like that that supports encryption likely has a chip that will encrypt the data dynamically before broadcasting it.

The cards alone aren't the cost barrier.It's the implementation of a contactless crypto card where it all goes to pieces.

Your -special- prox card is one card per building/office that's duplicated many times. No crypto, it just sends it's unique ID to the reader when powered. The reader is programmed to accept that card code.

Now, to add a little crypto to the system means perhaps the contactless card does a little computation, or decrypts a message sent from the reader to the card, then returns it to the r

There will be those who can manipulate it. On one hand I think it's awesome that people have the technical expertise to do it. On the other hand it's scary when you want to play by the rules and be affected negatively by something of this sort.

What is really needed for security applications that use RFID is a kind of shielded wallet, that when an RFID tag is placed inside would keep the RFID tag from being read. Preferably one that could carry multiple cards and such. When you want something to be able to read it, you open it up. When you don't, you close it.

Yeah I started thinking about this as well, when I first saw those MasterCard and Amex credit cards that have embedded RFID chips so that you can use them to pay for things without having them swiped. (I forget what the system is called...FastPay? SpeedPay?)I don't know whether they use the encrypting chips or not, but my feeling is that they probably don't. Call me cynical, but I have a feeling that if an encrypting chip costs 2,000% more than a non-encrypting one, the credit card companies are probably go

I dislike the idea of shielded wallets because it misses the point. If you want something to default to off without user interaction, you shouldn't be using something that is always on plus another thing that mitigates the always on effect. Why not just make the rfid circuit default to open and make you do something like squeeze the badge to close the circuit and enable the RFID capability? Always on means always vunerable. That gets sold based on convenience, but is it ever really a good idea?

A common paper envelope provides sufficient shielding to prevent the visual reading of a credit card, and the credit card holder can visually determine the likely effectiveness of the shielding. Reading the magnetic stripe of a credit card while it is inside a paper envelope might be possible, but is not a likely threat. Simply putting a credit card in a shirt pocket is sufficient to prevent the surreptitious reading of common credit cards. A wallet that is shielded to prevent the reading of RFID tags wo

What is really needed for security applications that use RFID is a kind of shielded wallet, that when an RFID tag is placed inside would keep the RFID tag from being read. Preferably one that could carry multiple cards and such. When you want something to be able to read it, you open it up. When you don't, you close it.

...more like what's needed for tags that contain private data is for the tag to be physically activated by the holder. It would only work when you press a 'button' on it...It's the passive

I've got a sheet of metal in my wallet which works well to stop the RFID from working through it... although it might be bit more effort I could just wrap it in tinfoil; but the metal sheet works just as well

I have no RFID equipment to verify this, but it's been reported that card sleeves made of partially conductive material (such as that used in some anti-static bags) are effective at shielding RFID chips from casual activation. So if your card can be activated from a reader 4cm away, one of these sleeves might reduce the range to 0.5cm, meaning you can still authenticate with the card still in the sleeve (by touching it to the reader), but any person on the street with a hand-held RFID reader disguised as a

Don't knock it. I made a tin foil wallet (well, actually metallic tape as used for ductwork.) If I put my RFID card in it, the scanner at work would not open the door. That, and I got a whole lot of cashiers to break out of zombie mode and actually smile with my uber-shiny wallet. Big problem is the folds... metal tends to fatigue fairly quickly, so the wallet split along the seams in a few weeks. Never got around to making shiny wallet 2.0 with a new material for the seams.

I'm thinking about it... and about to make wallet 2.0 as we speak. Or as I write, or...

Anyways, I'm thinking that simply covering the seams with duck tape would really do all that much good, as once the metallic tape fatigues and rips it is quite sharp and would just cut through the duck tape. I'll probably end up using duck for the seams and leaving a small space between the panels of metallic tape.

Oh, and for those about to flame me, the name is duck tape. Gray fabric tape was originally produced

Oh yeah... I was originally going to use Duck Tape (R) but my preliminary research (I.E. farting around on the internet) revealed that the adhesive of this product melts over time when exposed to the heat expected when held close to a body (I.E. in a back pocket.) This leads to a sticky mess where all the stuff in the wallet gets covered in gooey adhesive. I get the feeling the situation would be at least as bad with electrical tape... that stuff ends up being a real mess after a while.

I have to hand it to that guy, that's some pretty brilliant homebrew. (He even has a home-built PCB router!)He's right though that if you did a multilayer board that you could make the device a lot smaller; and I tend to wonder if you used an FPGA if you couldn't make it even smaller, down to around key-fob size. At any rate, he already seems to have achieved the "cigarette pack" size benchmark for a portable device, or close to it.

While they may have just realized this everyone else has already known about it. Three years ago I attended BlackHat in Vegas and they presenters already were doing this.

They showed live examples and had very interesting stories about how they were reprogramming cheese to send RFID signals saying they were shavings products. Also, the store they were doing this in used RFID on all their products to make sure everything is shelved in the right place. They would reprogram an item on the shelf (already in the right place) to emit a signal saying it was something else. When the store came by to move the item to the correct place all they would find is the correct item. The presenters say it drove the store nuts.

The cheapest RFID chips - by and large - are not read/write. They're read-only. The Wal-Marts of the world aren't putting read/write RFID in their products. This strikes me as largely a non-issue.
As far as the securty-badge scenario; you'd have to be pretty close to the badge to get it to transmit. Like, close enough to have it in your hand. If the bad guy has your badge in his hand, you've already got bigger problems.

Dilbert once ran a strip in which the PHB says "Reasoning that anything I don't understand must be easy..." before assigning Dilbert a monumental task on an impossibly short deadline. This is a mental trap that's easy to fall into.

Another similar trap is "Any security technology I don't understand must be secure."

Everyone has some vague notion of how a traditional lock and key work, and how they might be circumvented.

But if there is no hole where the keyhole should be, and what IS there has some spiffy up-to-date appearance, and is "electronic" or "digital," the natural assumption is that because it clearly isn't a traditional lock and key, it must not have the traditional security vulnerabilities of a traditional lock and key... and since we aren't familiar with the new technology, we assume that "no traditional security vulnerabilities" = "no security vulnerabilities."

And, obviously, the vendor of the new system, who is likely to be in the best situation to know them, isn't likely to explain them to us.

I don't think the security people are as trusting in black box technology as you seem to indicate.

Like everything else there is a cost/security decision that has to be made. One could invest in a system that would use all three possibly keys (biometrics, passcode, key), or one could invest in a regular tumbler lock with 6 tumblers.

The reality is that of the population that wants to break into your office, most of them would be stopped by the lock - they don't want to break in badly enough to obtain a

Its really no big deal. The vast majority of RFID chips are simply read-only, because thats the bottom of the line cheapest way to go. The card is "pinged" with a radio-field, and the chip burps out its serial number. No over write. No virus attack potential. Nothing of interest... Sure you can spoof these by putting a different tag in its place - oh yay, you've done the same cleverness as peeling a price sticker from a different product.

Read/Write tags are a step up in cost. They range from 20 bytes to 256 bytes of data with a 10 digit serial number. Some brands support encrypted encoding formats. There is a trivial one byte "access key code" that prevents a Writer from writing to an RFID tag if this "access key code" byte doesnt match. Its really more of an accident prevention mechanisim (so you dont accidentally overwrite an ExxonSpeedPass if it was put in a WalMart system).

Encryption of the "Writable" tags is the responsibility of the application. Since you only have 20 bytes (on the more common, cheaper tags) there isnt much you can do anyway as the number of permutations at 20! is low enough for most script-kiddies to crack. When you start getting upto 256 bytes, then sure it makes absolute sense to encrypt the contents. But, when you're at that price level, you're already considering the hardware that can encrypt at the signal level.

I think you underestimated how a read-only RFID tag can still be subject to play-back attack. You can fake the presence of an RFID. This becomes a problem when the person deploying RFID doesn't understand the consequences. For example, since perimeter security assumes that authorization is equivalent to the presence of an ID, being able to fake RFID violates this assumption and breaches security.TFA mentions a couple of these examples, where deployment is flawed. The flaw is not in the RFID technology.

I see you obviously own ExxonMobil stock. Please now, nowhere in the article does it state there was identity theft. In fact, if you read the article *gasp* it says the follow, "Using a laptop and a simple RFID broadcasting device, they tricked the system into letting them fill up for free." As for "Noob", please, maybe 15 years ago. *MAYBE* ten years ago that title might have offended me. Come on man, you're in your 30's now, no need to speak like a 14 year-old "k-rad leet haxor".

"Using a laptop and a simple RFID broadcasting device, they tricked the system into letting them fill up for free."

As in so many things on slashdot, the definition of "free" matters here. In this case, it could mean1) no one was charged for the fuel by ExxonMobil.
or2) some other ExxonMobil customer was charged for the fuel, but the pumper was not charged.
or3) the fuel was liberated.:-)

It seems to me that #2 is by far the most likely, which is probably what the GP poster was getting at.

I would not technically qualify that as indentity theft unless you consider the Speedpass part of your identity.I have a Speedpass and from what I've understood from the contract agreement they supply with the device is any unauthorized charges should be handled in the same manner as an unauthorized charge to the credit card that the Speedpass is linked to. Meaning, call your CC company and dispute the charge with the added step of calling Speedpass and disabling the device. I've never actually had to do

Remind me again how getting nearly $4/gallon gas for free from ExxonMobil and it's $8.4 billion quarterly profit is scary.

Well if you are morly challenged, then I would say nothing is wrong with it. Stealing from anyone, is, well, stealing, no matter how big a boogie-man you make the large "heartless corperations" out to be.

RIFD technology has the potential to do everything it's backers claim. Inventory tracking for all manner of transportation and commerce could be MUCH more efficient because it is possible to read hundreds of tagged items at once, and without having to rotate the items to expose the barcodes. Unlike a barcode, or a credit card which is basically just a magentic barcode, easily readable with commonly available readers or even iron filings, RFIDs can be made to keep their codes secret with encryption. It has to be competently done encryption, with secure, proven algorithms and a unique encryption key for EVERY device (it would be retarded if a bank made all of it's rfid credit cards, for instance, use the same key)

Credit card theft and misuse could be almost eliminated with better cards that use encryption so the code changes every time they are used. No longer would the number of your visa card suffice, every transaction would need a new code. For a business relationship, you would press a button on the card to generate a code that a particular merchant could then use repeatedly to charge the card from, and only that merchant.

Of course, every security measure can be broken. Thieves could still swipe actual cards (and they could be cancelled just as quickly like it is today, but no thief could use the card without phyisically possessing it). With electron microscopes and specialized equipment someone could read the codes out of memory for a card, and create duplicates : but the cost and time involved could easily be so onerous that no criminal ever did it.

I think the slashdot mentality is one of fear of the tech because if the megacorps deploying these cards screw it up, we could end up with a system far less secure than we have now. For instance, wireless internet could have been made pretty much 100% secure from the start, but instead was pathetically easy to hack and far less secure than standard cat-5 jacks with no log on.

I imagine a future walmart or best buy where you grab anything you want to buy and throw it in a mostly plastic shopping cart. You wheel it through a special detector booth enclosed on three sides, and with one big electronic beep EVERYTHING gets instantly scanned, and a total price comes. You take your credit card out of its protective foil sheath, push a physical button ON the card (or press your thumbprint to it), and put it into a little recess on the self checkout machine. You close the foil lined door, another beep follows, you open the door and the transaction is done. 15 seconds, start to finish, whether you are buying 1 item or an entire cart full. No more lines at stores that use the technology, ever. Instead of 30 clerks on the job at Walmart, there are just 4 or so "customer service representatives" to handle problems that come up. There's a roll of bags if you want to bag your own stuff, but otherwise you just push the cart right on out of the store. The guards even at best buy never bother to inspect your cart because each expensive or routinely stolen item has a deeply embedded rfid tag with a writable (WRITE ONCE) field that "knows" if it has been bought. Everything in your cart gets interrogated when you push it through the doors.

No need for a paper receipt, either - a customer id for who bought the item is on the tag for each item. When you return stuff, you don't need a receipt, either, the clerk can quickly scan all your items when returned and press one button to instantly refund your money or give you store credit with your store card.

Course, this is the real world. We can't get fcking word processing to work without any trouble at all on computers in offices because viruses, bloatware, stupid users, features creep, and constant other problems mean that the commonly used Word is MORE trouble prone that windows and DOS word perfect I used back in 1990. That's like a modern car being out performed by a model T! I can imagine this RFID stuff not working right either, or a health scare starting up due to the magneti

I think the slashdot mentality is one of fear of the tech because if the megacorps deploying these cards screw it up, we could end up with a system far less secure than we have now.Even in the ideal example you provide, I STILL need to SEE the receipt to make sure I was charged the right amount for each item. This doesn't guarantee that the system is up-to-date with prices, coupons, rebates, sales, etc. One big beep, and I can get screwed even with all the security measures in place and working p

Ideal solution : throw even more tech at the problem! Use LCDs or OLEDs for the SIGNS labeling products on sale. So, above/below each item for sale an electronic display would have both the name of the product and the current price as of right now. This information would be pulled from the same database that the store computer looks up the price from when you go to check out...Course, you can see where this is going. A good implementation, using high quality electronics and software...with the level of

Problems 1 and 2 are easily addressed. The tag is write once but has an additional field that can be incremented to show the item as having been returned, resold, ect. Each tag has a unique 128 bit encryption key (unique to THAT tag...yes it's a lot of data to process I suppose, but nothing to modern computers, much less the ones when this tech hits the mainstream) that must be known by any equipment that communicates with the tag. So an emitter wouldn't work unless it had access to this database, and an

Ok, I'll waste those mod points I used... Problems 1 and 2, the item itself doesn't care if it's been sold, the store's security system does. The register marks item 245435 as sold in inventory, and the security system queries the inventory. If the database says sold, no need to sound an alarm. If the item is returned, it's added back to the store's inventory. All you have to do is verify that the tag can't be destroyed or removed, and that the security system is capable of scanning any tag leaving the st

After the recent reports that companies like Levis were testing RFID tracking [mobilemag.com] in their clothes I started searching around to see what it'd cost to get an RFID reader if I wanted to start tinkering. Although self-contained hand-held readers are still quite pricey I did find an alternative. There are companies that are selling RFID attachments for Palm and Windows CE devices. For about $200-$400 you can buy an RFID device that plugs into an SD slot. Depending on how much you want to pay you can get just a reader or a reader/writer. With a little bit of software work it probably wouldn't be very difficult at all to whip up an RFID "skimmer" that you could just stick into your pocket. Just casually walk buy a security guard and steal his access card, walk around a store and reprogram prices, etc. and nobody would know it was you since you're just walking around and the device in your pocket is doing all the real work.

The last sentence on page 2 says: "Compare that to the hundreds of years experts estimate it would take for today's computers to break the publicly available encryption tool SHA-1, which is used to secure credit card transactions on the Internet."

This is incorrect.

SHA-1 is a digest algorithm. You give it some data, it outputs a 160-bit string that represents a fingerprint of the data. This fingerprint does not allow you to reconstruct the original input, but you can use it to verify data integrity, that data have not been tempered with. This does not protect against eavesdropping. Hacking a digest algorithm means to find, in a reasonable amount of time, two different inputs that produce the same digest.

SHA-1 is not a cipher. A cipher takes plain-text and a cipher-key in, and produces cipher-text out, which would appear to a third person without a cipher-key as a pretty random string.

You're both right. You're right on what SHA-1 is. They're right on SHA-1 protecting credit card transactions. SHA-1 is used to digitally sign those little certificate thingees that the trust model for https:/// [https] is built on, and https:/// [https] handles most (competently implemented) credit card transactions on the Internet. Compromising SHA-1 (it would have to be a pretty darn severe compromise*) would theoretically allow you to compromise the security of a credit card transaction by maliciously altering certi

The SHA series of digest algorithms are PART of the Secure Sockets Layer cryptographic protocols, which are far and away the most popular way to secure "https://" web sites that collect credit card information.

The June edition contains an interesting article on RFID and its security with respect to consumers. It is a good introductory article that covers all of the main security issues. It also talks about how various people who have been influential in teh government are now working for RFID companies (one being Tom Ridge former Secretary of Homeland Security)

What was interesting to me in the same articla is a reference to IBM having a 2001 patent application for tracking individual persons using the RFID constellation they create when carrying around a significant number of RFID tags. You nominate your target and profile what RFIDs they have, and then just look for that specific profile as it floats from detector to detector. This is scary stuff.

On a slightly related note, I remember seeing a comment somewhere about how teenage boys could profile the RFID constellation of hot looking women walking down the street and correlate this with the Victorias Secret catalogue in order to pick who was wearing the hot lingerie. This is a weird but possible new behaviour that RFIDs is opening.

Of more importance, I saw recently a reference to an RFID tag that could be embedded in currency notes as an anti counterfitting measure. Imagine how the muggers would jump on board this if it comes true.

A less scary and more useful application would be something that helps track TV remotes or keys.

You would attach an RFID tag to each item, then set up a few readers to triangulate the position. If all the equipment becomes cheap enough (it will) you could set up readers around the house/appartment, then just look at your computer to see where your keys are on the map of your appartment.

You just made me think of a useful application of position tracking with RFID

TOP SECRET FACT:Most modern cars have tracking transponders! While you drive on highways. Wires in the road and 14 feet above, work fine and log your car movement.Spy transmission chips embedded in tires that can be read REMOTELY while driving.

A secret initiative exists to track all funnel-points on interstates and US borders for car tire ID transponders (RFID chips embedded in the tire).

Yup. My brother works on them (since 2001).

The us gov T.R.E.A.D. act (which passed) made it illegal to sell new passenger

Seriously though - I hope organizations which are implementing this are seriously considering the security risks and implications. Though I fear the people trying to sell them this technology are emphasing the cost-savings and largely ignoring the potential for abuse.

A lot of these problems stem from using RFID as authentication (esp. single-factor) rather than identification.

Most of the good RFID-enabled security measures I've seen essentially use the RFID as a rapid user ID. When I approach a secured door, the RFID says "this is Proteus", and a second device (PIN-pad, hand scanner, etc.) says "ok, prove it". That's much the same as a username/password pair, except cloning the RFID has a higher work-factor than guessing a user ID (e.g. it requires physical proximity and specialized hardware).

That doesn't mean RFID isn't secure. It's just that too many people are using it as magical techno-faery-dust to solve security problems, and that behavior leads to insecurity.

Of course, there are real security issues with certain RFID applications. The DoS that can result from removing/altering the tags is concerning -- makes one wonder why the RFID tag in a library book (for example) needs more data than an unalterable serial number. Can't the readers correlate that number with record in a DB?

Add to that the issue of tracking that comes with things like implantable RFID chips. Yeah, those could just be a serial number. But imagine stores putting RFID scanners in their doorways: they know the ID# of everyone who went in and out of the store, and even if they can't correlate that with your identity, the police could. Now, what if I clone your ID# and rob a store?

Again, though, that's not a problem with the RFID tech, but with an ill-concieved implementation and too much trust. The only security problem with the tech itself is the overwriting/erasing issue.

There is a very active resistance to Real-ID here in New Hampshire. We came within a whisper of passing a law (HB1582 [generalcourt.org]) that would have explicitly rejected Real-ID; there was an incredibly passionate speech on the floor of the House of Representatives: here's the video [freestateblogs.net]

In addition, there was a large rally at the NH State Capitol; here is that video [google.com].

Unfortunately, our State Senate pulled some extremely underhanded parlimentary tricks to kill HB1582; all the gory details (and sound bites from the Senate) are here [freestateblogs.net].
The good news is, we here in the "Live Free or Die" still actively resisting this intrusion into our privacy!

"He programmed RFDump with the ability to place cookies on RFID tags the same way Web sites put cookies on browsers to track returning customers. With this, a stalker could, say, place a cookie on his target's E-ZPass, then return to it a few days later to see which toll plazas the car had crossed (and when). Private citizens and the government could likewise place cookies on library books to monitor who's checking them out."

This makes no sense. Either he has to get access to the library/E-ZPass data (in which case no cookie is needed) or the library needs to be writing to the tag - which it doesn't do.

Can anyone invert the ignorant-reporter-transform which has been applied to this paragraph?

And how is this not being done as is. For anyone who goes into a library, records of what books you check out are kept since you have to submit your library card. Most public libaries are known/thought to share this information with government as it stands.

I don't know where you get this idea, but currently most public libraries make it a point to destroy the record of you checking out a book after you return it, just so that they don't have this information available if/when the government comes around ask

And how is this not being done as is. For anyone who goes into a library, records of what books you check out are kept since you have to submit your library card. Most public libaries are known/thought to share this information with government as it stands.

Actually, many libraries are no longer keeping this information specifically so that they can never be forced to give it to the government.

I recently found about $30 in a book - the library had no way of telling me who the last person to check the boo